Re: DNS Caching and resolv.conf

From: Dan Williams <dcbw redhat com>
To: Karl Hegbloom <hegbloom pdx edu>
Cc: "Nathaniel R. Ben-Attar" <benattar gmail com>, networkmanager-list gnome org
Subject: Re: DNS Caching and resolv.conf
Date: Wed, 21 Dec 2005 18:02:24 -0500

On Tue, 2005-12-20 at 15:16 -0800, Karl Hegbloom wrote:
> I never completely "got" the argument wrt why Bind is better than any
> arbitrary local DNS cache.  It had something to do with security issues
> surrounding VPN.  I wish that for the holiday, someone would write up a
> decent explanation for us, and/or post the URL to such on the list.
> (TIA)

Two reasons, which essentially boil down to the simple glibc resolver:

a) You can do split DNS: ie, *.redhat.com -> Red Hat DNS, everything
else to my local nameserver.  You simply can't do this with
resolv.conf's syntax.

b) bind is instantly aware of resolv.conf changes, glibc takes a while
(up to 30s) to time out gethostbyname() calls when /etc/resolv.conf
changes.

These are limitations of glibc, and glibc developers indicated that they
do not wish to solve these problems there.  They wish glibc's resolver
to stay fairly uncomplicated, and advocated using 'lwresd' and the
lwresd NSS plugin.  lwresd was not viable for a few reasons, namely that
it had been unmaintained for a year, and the plugin had severe
limitations (ie, really, really bad caching) that made it unusable.

Dan

References:
- DNS Caching and resolv.conf
  - From: Nathaniel R. Ben-Attar
- Re: DNS Caching and resolv.conf
  - From: Karl Hegbloom

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]